4.8.6. HOWTO Configure NFS¶
This chapter describes multiple configurations of NFS including:
All implementations are based on pupmod-simp-nfs
, pupmod-simp-simp_nfs
,
and pupmod-simp-simp
.
Note
pupmod-simp-simp_nfs
and pupmod-simp-nfs
are not core modules, and
may need to be installed prior to following this guide.
4.8.6.1. Exporting Arbitrary Directories¶
Goal: Export /var/nfs_share
on the server, mount as /mnt/nfs
on the
client.
Note
If anything in this section does not make sense, there is a full working
example of how to export NFS home directories in the simp_nfs
module.
4.8.6.1.1. Server¶
In site/manifests/nfs_server.pp
:
class site::nfs_server (
Boolean $data_dir = '/var/nfs_share',
Simplib::Netlist $trusted_nets = simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1'] }),
Array[Enum['none','sys','krb5','krb5i','krb5p']] $sec = ['sys']
){
include '::nfs::server'
file { $data_dir:
ensure => 'directory',
owner => 'root',
group => 'root',
mode => '0644'
}
if !$::nfs::stunnel {
nfs::server::export { 'nfs_share':
clients => $trusted_nets,
export_path => $data_dir,
sec => $sec,
require => File[$data_dir]
}
}
else {
# Stunnel needs to point at the local host
nfs::server::export { 'nfs_share':
clients => ['127.0.0.1'],
export_path => $data_dir,
sec => $sec,
require => File[$data_dir]
}
}
}
In hosts/<your_server_fqdn>.yaml
:
nfs::is_server: true
classes:
- 'site::nfs_server'
4.8.6.1.2. Client¶
In site/manifests/nfs_client.pp
:
class site::nfs_client (
Simplib::Host $nfs_server,
Enum['none','sys','krb5','krb5i','krb5p'] $sec = 'sys'
){
$_mnt_point = '/mnt/nfs'
file { "${_mnt_point}":
ensure => 'directory',
mode => '755',
owner => 'root',
group => 'root'
}
nfs::client::mount { "${_mnt_point}":
nfs_server => $nfs_server,
remote_path => '/var/nfs_share',
sec => $sec,
at_boot => true,
autofs => false,
require => File["${_mnt_point}"]
}
}
In hosts/<your_client_fqdn>.yaml
:
nfs::is_server: false
site::nfs_client::nfs_server: <your nfs server>
classes:
- 'site::nfs_client'
Warning
Non-wildcard indirect autofs mounts configured via nfs::client::mount are not working properly at this time. See SIMP-2944 in our JIRA Bug Tracking . You may wish to manually configure the mount via autofs::map::master, and autofs::map::entry instead.
Note
The simp_nfs
module contains a further example that includes the
use of a NFS root on the server and indirect autofs with wildcards on
the client.
4.8.6.2. Exporting Home Directories¶
Goal: Export home directories for LDAP users.
Utilize the SIMP profile module simp_nfs
:
simp_nfs
: Manages client and server configurations for managing NFS home directories.simp_nfs::create_home_dirs
: Optional hourly cron job that binds to a LDAP server,simp_options::ldap::uri
by default, and creates a NFS home directory for all users in the LDAP server. Also expires any home directories for users that no longer exist in LDAP.
Note
The NFS deamon may take time to reload after module application. If your users do not have home directories immediately after application or it takes a while to log in, don’t panic!
Note
Any users logged onto a host at the time of module application will not have their home directories re-mounted until they log out and log back in.
4.8.6.2.1. default.yaml¶
nfs::is_server: false
simp_nfs::home_dir_server: <your nfs server>
classes:
- simp_nfs
4.8.6.2.2. Server¶
nfs::is_server: true
simp_nfs::export_home::create_home_dirs: true
classes:
- simp_nfs::export::home
4.8.6.3. Enabling/Disabling Stunnel¶
Stunnel is a means to encrypt your NFS data.
4.8.6.3.1. Enable¶
If simp_options::stunnel
is set to true
, you need only specify the
following, in the server’s YAML file:
Note
The following is set to prevent a cyclical connection of stunnel to itself, in the event the server is a client of itself.
nfs::client::stunnel::nfs_server: <your nfs server>
If simp_options::stunnel
is set to false
and you don’t wish to globally
enable stunnel, you will also need to set the following, in default.yaml:
nfs::stunnel: true
4.8.6.3.2. Disable¶
If simp_options::stunnel
is set to true
, but you don’t want your NFS
traffic to go through stunnel, set the following, in default.yaml:
nfs::stunnel: false
If simp_options::stunnel
is set to false
then stunnel is already disabled.
4.8.6.4. Enabling Kerberos¶
Warning
This functionality is incomplete. See ticket SIMP-1400 in our JIRA Bug Tracking . Until that ticket is resolved, it is HIGHLY recommended you continue to use stunnel for encrypted nfs traffic.
In addition to the sharing code (not the stunnel code) above, add the following:
4.8.6.4.1. default.yaml¶
classes:
- 'krb5::keytab'
nfs::secure_nfs: true
simp_options::krb5: true
krb5::kdc::auto_keytabs::global_services:
- 'nfs'
4.8.6.4.2. Server¶
classes:
- 'krb5::kdc'
4.8.6.4.3. Clients¶
nfs::is_server: false
classes:
- 'simp_nfs'